-
Notifications
You must be signed in to change notification settings - Fork 546
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[3.0] prometheus - Fix CVE-2023-45288 (#10956)
Co-authored-by: CBL-Mariner Servicing Account <[email protected]> Co-authored-by: Mykhailo Bykhovtsev <[email protected]> Co-authored-by: Andrew Phelps <[email protected]>
- Loading branch information
4 people
authored
Nov 13, 2024
1 parent
ea0f491
commit ac59afa
Showing
2 changed files
with
92 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| From 87bba52321835fa92f7c91be1b8eef89a93d2506 Mon Sep 17 00:00:00 2001 | ||
| From: Damien Neil <[email protected]> | ||
| Date: Wed, 10 Jan 2024 13:41:39 -0800 | ||
| Subject: [PATCH] http2: close connections when receiving too many headers | ||
|
|
||
| Maintaining HPACK state requires that we parse and process | ||
| all HEADERS and CONTINUATION frames on a connection. | ||
| When a request's headers exceed MaxHeaderBytes, we don't | ||
| allocate memory to store the excess headers but we do | ||
| parse them. This permits an attacker to cause an HTTP/2 | ||
| endpoint to read arbitrary amounts of data, all associated | ||
| with a request which is going to be rejected. | ||
|
|
||
| Set a limit on the amount of excess header frames we | ||
| will process before closing a connection. | ||
|
|
||
| Thanks to Bartek Nowotarski for reporting this issue. | ||
|
|
||
| Fixes CVE-2023-45288 | ||
| Fixes golang/go#65051 | ||
|
|
||
| Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 | ||
| Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| Reviewed-by: Tatiana Bradley <[email protected]> | ||
| Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 | ||
| Reviewed-by: Dmitri Shuralyov <[email protected]> | ||
| Auto-Submit: Dmitri Shuralyov <[email protected]> | ||
| Reviewed-by: Than McIntosh <[email protected]> | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ | ||
| 1 file changed, 31 insertions(+) | ||
|
|
||
| diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go | ||
| index c1f6b90..175c154 100644 | ||
| --- a/vendor/golang.org/x/net/http2/frame.go | ||
| +++ b/vendor/golang.org/x/net/http2/frame.go | ||
| @@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { | ||
| if size > remainSize { | ||
| hdec.SetEmitEnabled(false) | ||
| mh.Truncated = true | ||
| + remainSize = 0 | ||
| return | ||
| } | ||
| remainSize -= size | ||
| @@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { | ||
| var hc headersOrContinuation = hf | ||
| for { | ||
| frag := hc.HeaderBlockFragment() | ||
| + | ||
| + // Avoid parsing large amounts of headers that we will then discard. | ||
| + // If the sender exceeds the max header list size by too much, | ||
| + // skip parsing the fragment and close the connection. | ||
| + // | ||
| + // "Too much" is either any CONTINUATION frame after we've already | ||
| + // exceeded the max header list size (in which case remainSize is 0), | ||
| + // or a frame whose encoded size is more than twice the remaining | ||
| + // header list bytes we're willing to accept. | ||
| + if int64(len(frag)) > int64(2*remainSize) { | ||
| + if VerboseLogs { | ||
| + log.Printf("http2: header list too large") | ||
| + } | ||
| + // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
| + // but the struture of the server's frame writer makes this difficult. | ||
| + return nil, ConnectionError(ErrCodeProtocol) | ||
| + } | ||
| + | ||
| + // Also close the connection after any CONTINUATION frame following an | ||
| + // invalid header, since we stop tracking the size of the headers after | ||
| + // an invalid one. | ||
| + if invalid != nil { | ||
| + if VerboseLogs { | ||
| + log.Printf("http2: invalid header: %v", invalid) | ||
| + } | ||
| + // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
| + // but the struture of the server's frame writer makes this difficult. | ||
| + return nil, ConnectionError(ErrCodeProtocol) | ||
| + } | ||
| + | ||
| if _, err := hdec.Write(frag); err != nil { | ||
| return nil, ConnectionError(ErrCodeCompression) | ||
| } | ||
| -- | ||
| 2.44.0 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,7 @@ | |
| Summary: Prometheus monitoring system and time series database | ||
| Name: prometheus | ||
| Version: 2.45.4 | ||
| Release: 3%{?dist} | ||
| Release: 4%{?dist} | ||
| License: Apache-2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux | ||
|
|
@@ -18,7 +18,8 @@ Source5: prometheus.logrotate | |
| Source6: promu-%{promu_version}.tar.gz | ||
| # Debian patch for default settings | ||
| Patch0: 02-Default_settings.patch | ||
| Patch1: CVE-2024-6104.patch | ||
| Patch1: CVE-2023-45288.patch | ||
| Patch2: CVE-2024-6104.patch | ||
| BuildRequires: golang | ||
| BuildRequires: nodejs | ||
| BuildRequires: nodejs-npm | ||
|
|
@@ -135,6 +136,9 @@ fi | |
| %doc README.md RELEASE.md documentation | ||
|
|
||
| %changelog | ||
| * Wed Nov 06 2024 Nicolas Guibourge <[email protected]> - 2.45.4-4 | ||
| - Fix CVE-2023-45288 | ||
|
|
||
| * Fri Aug 02 2024 Bala <[email protected]> - 2.45.4-3 | ||
| - Fix CVE-2024-6104 by patching vendor gomodule | ||
|
|
||
|
|
||